Former Gizmodo Writer's iCloud Account Was Hacked With Deception

When former Gizmodo US writer Mat Honan was hacked, and the Gizmodo US Twitter account was compromised, we all assumed the weak link in the chain was on the user end. It turns out that may not have been the case -- the hackers didn't even need a password to get started.

When everything first went down, the way the hackers made their way in was hazy. The assumption was that since the password wasn't known to have been leaked it must have been brute forced. But now it's become clear that the hackers called Apple tech support and posed as Mat to bypass the security questions. It worked.

From Mat's blog:

"I know how it was done now. Confirmed with both the hacker and Apple. It wasn't password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions."

If the hackers didn't answer the security questions but merely managed to socially engineer their way around the questions with other bits of personal information, that lays a lot of the blame in Apple's lap. Any unauthorised access to an account is problematic -- doubly so when fallout of such a breach includes the remote deletion of several extremely important devices and the ability to request new passwords for several other accounts.

Mat might have a bit more information floating around out there than the average iCloud user, but if that information wasn't literal answers to his security questions, that shouldn't really have mattered. Until the gritty details of the deceptive conversation come out, there's not much users can do to protect themselves from something similar. Just don't go around tweeting your mother's maiden name. And never, ever rely on the cloud. [Emptyage]

Image: olly/Shutterstock



    The very reason i don't have anything on the cloud.

    One day someone will breach the cloud itself and a lot of users will be affected then.

      The only man with an umbrella in the middle of a storm


    You can take your tin foil hat off now..

    Fire the guy that let the hacker get the details. And the company should retrain its staff,, even in the face of a "customer complaint" they should not have released the information without following the procedures.

      everything above suggests they did follow procedures, but the intruder was able to answer details/questions anyway.

    As a system engineer and administrator, I see the potential of a hacker accessing information from any cloud company. Even if the company promotes they are secure, people there is no thing as secure on the net and it's funny how companies are considering the cloud for their confidential data.

    You can't really blame the apple tech support for this.

    I have a password manager now, so that I can have a unique gibberish password for each place that needs one.. up to like 50+ passwords now.

    Each of those potentially has a number of security questions to be used for resetting the password etc. People must forget their security question/answer pairs all the time with that much info to try and remember.. I know with some of them I don't use frequently enough to remember them immediately when asked, I usually have to think about it for a while.

    Just about every place I've dealt with has a procedure for bypassing the security questions in some manner. eg if you get close enough to the right answer, it's ok as long as you have a bunch of other personal details to help confirm it's you.

    Not to mention plenty of places just have questions like "what was your first highschool" or "what was your mothers maiden name", which can't be too difficult to track down with the way the internet is now.

    The issue is the use of a password system in the first place.. really need something to replace that, and soon.

      I find that security questions are a bigger threat than the password security itself. I always select a random question(s) and then use a similar algorithm that I use for my password for an answer that has nothing to do with the question. this way even if someone knows the answer to the question it won't be what i've used.

    Never trust Apple, simple. I am perfectly happy with my Windows PC and my non-existent mCloud account (thank god Microsoft don't require crap like that!).

      Side note. Windows 8 is intended for cloud integration.

      Windows 8 is getting deep cloud integration. so... your point is?

        You are not forced to use it as Apple has done with it's users in the past.. I've moved back to Microsoft just for this reason alone!

    Easy solution.. for all calls to support, do a callback. If you call support for an account related question, they should use a number ON FILE to call you straight back. Ideally, you would have 2 numbers on file (one for your mobile and another for home/office or your partners phone).

      Problems arise if the number supplied is no longer valid, correct or in the users posession. Keep in mind iCloud related questions for example will probably be tied to an iPhone in most cases. If someone needs to contact support then then there is a chance it is over a stolen phone.

        Add to that, if you are the person that has stolen the phone, you very well may have access to quite a lot of data that would allow you to answer any security questions. A call back will go straight to you (if you call Apple before the real user calls their telco), in which case nothing was achieved by the call back.

    This sounds similar to the method some people have used to steal Xbox Live accounts - basically, personnel-hopping and abusing the gaps in security that can sometimes form when you're transferred from one phone operator to another at a different level or in another area.

    CLOUD - Complete Loss Of User Data...

Join the discussion!